LATEST FROM OUR BLOG

Take your daily dose of (only) relevant news, useful tips and tricks and valuable how to's on using the latest web technologies shaping the digital landscape. We're here to do all the necessary information sifting for you, so you don't have to, to provide you with content that will help you anticipate the emerging trends about to influence the web.

Drupal 8 Paragraphs: a fast way to build landing pages
It isn’t for no reason that we’ve called Drupal 8 Paragraphs module an “emergency kit” that Drupal 8 comes “to your rescue” with. Not only that it makes building a landing page so very time-efficient, but it “fortunately” limits your creativity freedom.   How come “fortunately”? Because the fewer options you have at your disposal, to distract you and to challenge your creativity, the more focused you are.   To put it simply: it’s the lack of options that sharpen your mind!   It challenges you to take the best decisions in short time while empowering the end user with so much flexibility (he/she can rearrange and edit the content later on). It dares you to come up with an ideally simplified (not necessarily minimalistic, although “extreme minimalism” is such a huge trend these days) result and to put the spotlight on content (that’s right, The King).   Now let us show you precisely how you can use the Drupal 8 Paragraphs module and integrate it into your team’s landing page creation process. Steps to take with Drupal 8 Paragraphs module 1. Get It Running (plus helpful stuff about handling paragraph types and fields) add the Entity Reference Revision and the Paragraphs modules to your website notice that the Drupal 8 Paragraphs module comes equipped with multiple new “paragraph” fields  notice that you get to a theme and to control the way they’ll display on the web page, as well add a new paragraph field on the target Content Type and select the Paragraph Types (Structure  > Paragraph Types) that later on the end user can administer (as a developer you practically get to create precisely those types of paragraphs that your client needs) use paragraphs independent from one another (they’re predefined) although they’re called “paragraphs”, they can take whatever    form/functionality you want; they range from images, headlines, buttons, text blocks, links etc. Each one of them is a different paragraph type with its own “collection” of fields (that you get to define) 2. Build Your Landing Page (Plus An Example) So, you’ve added the Drupal 8 Paragraphs module to your website, you’ve learned about the Paragraphs’ “juicy” features, now let’s get to work (for there was an unreasonable deadline haunting you, remember?)   First, define the paragraph bundles that you’ll be using later (using the User Interface). They come in three “versions:   simple: title+ body field advanced: title+ body+ field collection fields blocks paragraphs: title+ body+ block reference field (the cool thing about this type of paragraph bundle is that the end user gets enabled to add maps, embed sliders, views blocks etc.)   In a nutshell: you select the node you’d like to add your field of paragraph type to, then you choose the paragraph bundle that this specific fields will refer to.   Ok, now let’s imagine that we’re rushing in (we have no choice, the clock is ticking) to create a “call to action” type of paragraph.   Our long experience as landing page “creators” will then instantly unfold a list of a call to action-specific components in our mind: text, link, message.    What do you do then? You add all these fields, that your mind’s informing you about, to your Paragraph Type.    Let’s it sum up:   add your Paragraph Type called “Call to Action”: Paragraph Types- +Add Paragraph Types add all the needed fields (link, title, image and the rest) to your “Call to Action” Paragraph Type: Manage Fields > +Add Field create a content-type landing page and a field of type Paragraph labelled “Call to Action”. Afterwards, from Settings you get to predefine which Paragraph types will be referenced   Probably one of the most alluring features of this module is that it enables you to display even far more complex components (galleries, videos, ads): you simply create a paragraph type of each one of these complex components and then give permission to the end user to reference them.   Reference Type- Reference Method: Default- Type   Note that it’s “none” that you must select from the “paragraph types” drop down menu, so that the user can reference more than just one type.   3. Decide How Your Fields Will Get Displayed There, you have your content added to your landing page and yet: don’t rush in to proudly show your “work-of-art” to your client!   There’s one more fix you still need to do: setting up the way the call to action gets displayed.   Go to Manage Display and do your thing: format and update the order in which those fields will get displayed.   Now it’s just a matter of… filling in the blanks, since all the major configuration and predefining steps have been taken.   When it comes to your landing page’s customized visuals, add CSS and override templates.   Here's An Ultra Efficient Workflow for Building Up a Landing Page 1. Gather and structure all your information and fill in the landing page content form   2. Choose a Paragraph type for each fragment of content   3. Add the elements of design that each paragraph form require   4. Mix and match, edit and rearrange the paragraph entities till you get the desired result   5. Test out the results, of course!   See? Quick and easy!   And although some might say that Paragraphs limits your creativity, in fact, it actually challenges you to be ultra efficient and, given the limited options, to get even more creative. Ironical, right?     What’s your opinion on Drupal 8 Paragraphs module? Have you been using it for building your landing pages so far?  ... Read more
Adrian Ababei / Nov 22'2016
Our Top 5 Drupal 8 Modules
The much-awaited, much talked about and supposedly innovative Drupal 8 is stil “too shiny and new” for you? Still a bit „nostalgic” about the good old, so familiar Drupal 7?    Well, don’t be! We’re going to point out to you 5 of its coolest modules which will make your life as a websites builder a lot... simpler (for, besides flexibility, simplicity has always been one of the Drupal community’s ultimate goals).   Now let’s just dive into our selection of “juicy”, highly useful, won’t-be-able-to-live-without-anymore Drupal 8 modules!   1. Views It’s by far one of the most used modules in Drupal, so no wonder that the worldwide team behind Drupal 8 strove to improve it.   Probably one of the best news regarding this module is that it’s a core module now! You do realize what this means, right? You’ll get it by default, along with the whole installing package, no need to add it yourself, manually, afterwards anymore.    And since Drupal’s all about „empowering the non-technical end-users”, you’ll be glad to hear that the Views module comes equipped with some new too-hard-to-resist-to „powers” for you:   as a content editor and site builder it enables you to filter and to display information depending on your predefined parameters: you can create a block listing the most recent posts, you get to „play with” your taxonomy listing, to put together a slideshow with the best images of the last month or a sidebar with the most recent/longest/interesting/useful comments on your website etc. as an admin, you get „spoiled” by all the „responsibilities” that the Views takes in Drupal 8: it controls content admin page, user admin page, lists, blocks and more. Moreover, you get to „work your magic” without even having to write a single line of code, just by “playing” in its admin interface: configure lists, calendar, create photo galleries etc.   2. Rules You may not be inclined to follow rules in your life outside Drupal’s world, but how about the power to set up your own rules for your website?   This contributed module allows you to create three types of rules which, put together, create a complex, logical sequence: you can set up an event (first rule), a conditioned one (second rule) in fact, which leads to a certain action (third rule).   Here’s a suggestive example for you: you’re a website’s admin, right? Well, imagine now that someone posts a comment on your site (event) and, thanks to your configured rules, you automatically get an email informing you about this posted comment (action). Got it?   The whole "attraction" for the Rules module is the fact that it enables you to create and to manage automated workflows on your website.    3. Features Now here’s another super useful contributed module that Drupal 8 „spoils” you with!   It will be extremely useful in your work especially if you have a whole portfolio of Drupal websites to juggle with (as 99% of organizations do). How precisely?   You’ll get to import/export your multiple configurations and all your code as whole packages that you can then move across your whole collection of websites.   Enlightening example: just imagine that you’ve come up with a rule (you know, we’ve just talked about that module). Ok, now the great part is yet to come: you can export it so that it can get imported to all the other websites that you might administer, simultaneously. Time-saving and efficiency-boosting, wouldn’t you agree?   4. Admin Toolbar Ok, ok, so you think that it has been improved and yet that it could have turned out much better.   Still, we can’t underestimate the role it plays in your work as a Drupal site developer: it’s menu (replacing now the old admin menu module) is now responsive. It sure fits the whole Drupal 8 „mobile-first philosophy” right?   5. Pathauto  If the whole „SEO is dead” nonsense hasn’t got to you, you’ll find this module to be so helpful.    What does it do exactly? It upgrades your website with search engines-friendly, clean URLs for your content. Of course, you’ll be lending this specific module a decisive helping hand to enable it to get your site SEO-friendly, since you’ll be the one predefining the page path patterns.    The result? Standard Drupal links turn into readable links that your visitors will love and since happy visitors means a better Google rank, you do the map!     These are our top 5 Drupal 8 modules. How does your own top 5 list look like? Is there anyone of our preferences listed there or not? Feel free to share it with us.  ... Read more
Adrian Ababei / Nov 18'2016
Here Is How You Create Drupal 8 Comments Programmatically
Since flexibility’s already one of Drupal’s emblematic features, it was about time they did something about their quite rudimentary commenting system, right? Well, get ready to embrace the upgraded Drupal 8 comments, which are far more than just some basic settings in a node type.   So, What Makes the Drupal 8 Comments far More Tempting?   1. They’re set up as fields That’s right, comments are no longer fieldable, full-featured entities. They’re still entities but set up as fields. What’s in this for you? You get to choose where exactly on the page your comments will get displayed and you’re no longer restricted to add them to content only (now they can practically “show up” anywhere the fields can)   2. Comments have their own fields Can you believe this! Not only that they’re set up as fields in Drupal 8, but you can also add a set of fields to each comment.   3. They’re of several types Now, this is just a big step ahead of the standard, one-type-only comments in Drupal 7!   For instance, now you can add comments to taxonomy terms, to users, blocks, contact messages, content and even to… other comments.   Just imagine: you’re the admin of a social networking site! You can leave private notes to your users, they, as well, can leave their own private suggestions for you, while users can also leave comments on your public-facing website, too.   Here’s another quick example of Drupal 8 commenting system’s flexibility: if you want to add comments to a content type you simply add a field “Comments” on the “Manage Fields” page and voila: there’s your comments field!   Still, when it comes to this new upgrade in Drupal’s commenting system, we must be fair and point out an issue that still needs improvement: in Drupal 8 multiple types of comments don’t come with multiple individual permissions, as well. This means that anyone who’s granted permission to post a certain type of comment can practically post any type of comment on the website.   4. Comments have their own area now  You get to scroll through the “Unapproved Comments” and the “Published Comments” lists.    5. The “Recent Comments” block is in Views  Remember how frustrating it was realizing that you could not edit your “recent comments in” D7? Things have changed now: the “recent comments” block has been moved to “Views” in Drupal 8 and is available by default.   And Here’s How You Can Create Your Comments in Drupal 8 Basically, the whole process comes down to 2 major steps:   You create a comment entity in code.   Then you save it.   Here’s how the code will/should look like:   // To create a new comment entity, we'll need `use` (import) the Comment class. use Drupal\comment\Entity\Comment;   // The function name doesn't matter. Just put the the function body where you need it. function my_modules_function_or_method() {     // First, we need to create an array of field values for the comment.   $values = [       // These values are for the entity that you're creating the comment for, not the comment itself.     'entity_type' => 'node',            // required.     'entity_id'   => 42,                // required.     'field_name'  => 'comment',         // required.       // The user id of the comment's 'author'. Use 0 for the anonymous user.     'uid' => 0,                         // required.       // These values are for the comment itself.     'comment_type' => 'comment',        // required.     'subject' => 'My Awesome Comment',  // required.     'comment_body' => $body,            // optional.       // Whether the comment is 'approved' or not.     'status' => 1,                      // optional. Defaults to 0.   ];     // This will create an actual comment entity out of our field values.   $comment = Comment::create($values);     // Last, we actually need to save the comment to the database.   $comment->save(); }   Now let’s have a closer look at each one of these fields:   entity_type: it’s the entity that you attach your comment to (a node, for instance)   entity_id: it’s the id that you’ll attach the comment to (it would have to be a nid in case it’s a node that you’ll attach it to)   field_name: this field is the one for the entity that you’re attaching your comment to   Practically, what all these 3 first fields do is let Drupal know what entity it should attach your comment to. This whole “flexibility” laid at your feet, that you get to juggle with multiple comment fields of the same entity and the fact that those comments’ fields can use multiple types of comments, themselves, is just part of the upgrades added to the commenting system.   uid: informs Drupal which user wrote a specific comment   comment_type: the type of comment you want to create (you know, who’ve already talked about how in Drupal 8 you have several types of comments to juggle with). The default comment will be just comment   subject: just like a node comes with a title field, so does a comment come with a “subject field” in Drupal 8   comment_body: is provided by default and you can remove it, just like you can remove any other one of the fields   status: if you don’t want, as admin, to be asked to approve each comment before it goes live, set it to 1   field_foodbar: although it does not show in the above example of code, we still wanted to show you that you’re free to add custom fields if you want to. Simply use the field’s machine name and give it a default value.    So, what do you think about Drupal’s new commenting system?   Do you find the improvements made to the way you can create comments to be a big step ahead, contributing to Drupal’s overall flexibility or do you consider that there are many other possible upgrades (feel free to name them) that its developers should have focused on? ... Read more
Adrian Ababei / Nov 16'2016
How to Manage Your Drupal 8 Configuration Workflow with Git: A 4-Step Guide
  Wouldn't you agree that managing configuration is vital in the life-cycle of a multi-person project? Well, its importance used to be, until recently, proportional to its main dreaded feature, that of being a major nuisance for web development teams: highly important configuration settings were missing, leading to major inconsistencies when it came to configuration handling, commits, made by the members of the team, resulting in conflicts etc.   Have no fear, Drupal 8 Configuration Management System Is Here!   That's right, Drupal's latest version comes to relieve your team of all the stress that parallel configuring actions might lead to. Upgraded with tempting configuration management tools, it allows developers to export/import all the configuration settings they will have performed to/from code.   Moreover (and this is the very best part of Drupal 8 configuration management system), Git allows the members of your team to put configuration under version control, thus keeping track of it (the ultimate goal of any configuration management endeavor, after all!).    What does this mean?    1. that you'll have a history of all configuration changes   2. that you can compare different configuration states   Setup   Do you already have a a development version Drupal 8 installed on your system? Is Drush available there, as well?    Well, before you go any further we have a "warning”/piece of advice for you:   Make sure not to put the files/folders that came with Drupal specific setup (e.g. sites/default/settings.php, sites/default/files/, sites/default/files/css/ etc.) into your repository! How to avoid that? Just make a clone of the "example.gitignore" file (that you get with Drupal) and place it in .gitignore, then adjust it  to your website's specific needs, thus keeping the files directory and setting.php unexposed to the risk of getting versioned.   Initiate The New Repository   Once you've downloaded your Drupal 8 version, simply initialize and register a new repository along with it:   $ git init   $ git add .   $ git commit -m "Initial Commit: Drupal 8.x Code base"     Great! Now consider this: Drupal 8 configuration management system only works on distinct instances of the same website! So, what solution do you have? You simply clone it: import the database of the website to be cloned in the other environment!   Next,  add your remote repository clone URL:    $ git remote add origin REMOTE_CLONE_URL   Push the commit up to GitHub:    $ git push -u origin master     ... and voila: you have your new functional Drupal 8 website!     Now let's start “playing” with the Configuration Management System that Drupal 8's developers "spoil" us with, easing our work by giving us full control over all the changes we (along with out teammates) will apply to our site later on during its development process!   Go ahead and export your configuration   After you've set up the needed configuration, it's time to export it. How? Use the command line for exporting the site configuration to a new folder (config/site):    $ mkdir config   $ drush config-export --destination=config/site   Next, commit and push the configuration to the repository.   There, you've just created your own "safe", the one that stores priceless website information!   Practically, you now have a valuable screenshot of how your website looked like when you installed it. From now on, dare and perform any configuration you'd like, knowing that at any time you can just roll back your site to precisely this state: the one right after its installation!      Time To Import Your Configuration   For importing your configuration from the config/site, rely on this "powerful" command:   # Import the configuration from the repository   $ drush config-import --source=config/site     Why powerful? Because it instantly overwrites the current configuration!      It's after you've exported your configuration that you can merge it with those of other members of your web development team:   add and commit the configuration to Git use Git pull, then focus on fixing any commits conflicts that might arise   At this point, we have another warning/helpful piece of advice for you: don't rely exclusively on Git for the configuration's merging part. Be sure to check whether the result of the merge is correct, whether it makes sense!     If everything will have gone smoothly with your configuration's importing process, you can go ahead and push it to the remote repository.      Valuable Pieces of Advice   1. Always export configuration first and pull the configuration changes run by your collaborators secondly! Why? Because Git doesn't recognize the changes will have have applied to your database until you actually export them!   2. Always import first, push secondly! This means that it's always safe to import the configuration and only then to push it to the remote repository, avoiding the risk of breaking the site (in case you're dealing with a broken configuration)   3. Accompany each import with a database dump, thus granting your team a backup in case anything goes wrong   4. Deal with this thought: you can't rely on Git for everything! Don't loosen your vigilance, especially when you're a member of a larger team working on the same project! ... Read more
Adrian Ababei / Nov 14'2016
Not All Content Is King in Drupal 8: Mobile, Global Content Is
  Can you handle all the ... power that Drupal 8 is about to lay in your very hands, whether you're a developer, a marketer/content editor or a user/end-user? Will you take the dare to set yourself free from the desktop and from any regional or language limitations and to step into the... future?     If you answered “No”, then... good luck with implementing your digital “vision”, you'll need it!   But if you've answered “I'm not sure” or “what does this fancy utopia even mean?”, you'll definitely want to read the following true facts about Drupal 8.   Empower yourself with helpful information about what is described as “the world’s leading digital experience platform that helps you manage and deliver web content across channels and devices."     Shifting to a Mobile First Mentality   “If I were to start Drupal from scratch today, I'd build it for mobile experiences first and desktop experience second”, Dries Buytaert.   Need we add more to this suggestive quote?   We're not going to beat around the bush stating the obvious (that users have started to rely more on their mobile devices for... getting themselves informed, entertained or for buying/booking certain goods/services).   Instead, what we'd like to point out to you is precisely those upgrades that the visionary team behind Drupal 8 have upgraded it with:   its was conceived primarily for mobile devices (and only secondarily for desktops), therefore its structurally made to support responsive design it sets itself apart from the (now) rudimentary belief of  “one size fits all” it comes upgraded with responsive image support (pictures adapt automatically to any device's specific viewport size, without affecting the page's loading time) it turns managing content on mobile devices into a highly intuitive process (its admin has been significantly adapted for mobile) it empowers site builders with new responsive themes, mobile-adapted ones, thus enabling them to get... creative and craft great Drupal 8 websites that look appealing on mobile devices       Drupal 8 Encourages You to Go... Global    In other words, Drupal 8 supports your “taking over the world” vision (only as a visionary entrepreneur of the digital era, of course...).   Since, now you should start envisioning user-friendliness as “user friendliness on a global scale”, what Drupal 8 does is that it... empowers you (sorry, we couldn't find a more appropriate word to describe Drupal 8's main... “mission”) with all the cool tools you'll need for going... international:   Content Translation module: it helps you communicate in your users' own languages, therefore to easily translate your site' content Interface Translation module: it helps you, as a site developer, by giving you the chance to... build sites in your own language (you get to actually translate the blocks, the toolbars, the menus etc.) Language module: it... empowers you (there, we did it again!) to determine specific languages (that your site will support) for your target visitors     Usability+Accessibility= A New Winner in the Drupal vs Wordpress Showdown   We didn't find it necessary to add customization to the above formula, for this is already THE feature (along with the related flexibility) that Drupal has become famous for among developers belonging to both teams (the Drupal enthusiasts and the Wordpress fans for life).     Now let's sum it up:    Drupal 8 websites/apps can be accessed anywhere on the globe    Drupal 8 websites/apps can be accessed on practically any type of device      OK, so we've cleared the accessibility issue out!   But what about usability, the ultimate goal that both Drupalers and Wordpress enthusiasts are craving for while their developers are striving to reach?   Let us check this ultimate goal off the list, as well:   Content Editors/Marketers Get More Power Than Ever   That's right, Drupal 8 is not just about easing the developers' work or about putting the user and the end user into the spotlight. It's also about empowering content marketers.   In this respect, here's how Drupal 8 will “lighten” up your work life, if you're a content marketer:   the integrated WYSIWYG editor, easing content authoring the on-page editor better preview uploading images with drag and drop modules (more of them) for monitoring your SEO-oriented activity  easy to integrate YOAST and Google Analytics   But What is in it for Drupal Website Developers?    Still, if Drupal 8 is focused on the end user more than all the previous Drupal versions and if it invests content marketers with so much power, it doesn't mean that... there's nothing in it for website builders, too.    We've kept “the best” for last, so to say...   So, if you're a Drupal website developer (or willing to become one), here's how Drupal 8's own visionary developers have decided to ease your work:   Rest API's PHP7 and we all know that this is a huge step forward, turning Drupal 8 into one of the most dynamic content management platforms out there You get to use it as a data source (you get to post data from the front end and output content as XML or JSON Hypertext Application Language JavaScript Automated Testing Customization is still... king with Drupal 8, too: you get to customize your admin tools, lists, views, determine the way your data gets displayed (and all that without having to write code) More fields for you to better structure your content     Now that Drupal 8 empowers you with accessibility, usability, mobile-first mentality and global-ready vision, all you need to bring in to the table is... your own share of innovation, creativity and... boldness and you can go ahead and craft the digital experiences of the future! ... Read more
Adrian Ababei / Nov 08'2016
Add Google Fonts to your Drupal 8 Theme
Adding Google Fonts to your Drupal 8 theme can be a bit more difficult than with Drupal 7. This is an example of how to install a font for every page of your website. Here is the method previously used to install Google Fonts on every page of the theme using Drupal 7: function MYTHEME_preprocess_html(&$variables) { // this function is deprecated in D8 drupal_add_css('//fonts.googleapis.com/css?family=Roboto+Condensed', array('group' => CSS_THEME)); }   But in Drupal 8 it’s completely different – we need to use the libraries method, which is a bit more complicated. First things first, we need to add a library in the last two lines of the theme.info.yml file. Remember that when adding the theme name you need to use all lower case for it to work properly. name: Test description: Test theme type: theme base theme: theme name core: 8.x libraries: - test/fonts   After that, a library file needs to be created – the library is defined as themeName/libraryName in the .info.yml. file. The library file is named themeName.libraries.yml. This file opens with a declaration of libraryName: fonts: license: name: SIL Open Font License, 1.1 url: https://goo.gl/UpQhAK /> css: theme: //fonts.googleapis.com/css?family=Roboto+Condensed: { type: external } css/myStyles.css: {}   The YML file will work even without a license section but it’s a good idea to mention it as well. The font’s URL has the HTTP: removed so that it’s agnostic to secure-or-not connections at runtime. If everything is done properly you should be able to view the adjusted lines of code. All you need to do now is implement the font into your CSS through a rule in the myStyles.css file located in your css folder.   ... Read more
Adrian Ababei / May 10'2016
Drupal Development and Twig: What Are the Main Benefits for Replacing the PHPTemplate with Twig?
Drupal development is becoming an increasingly popular choice for developers all around the world. This has sparked the interest for upgrades for this technology. Drupal used to work with the PHPTemplate engine which sought to separate the presentation layer from the logic layer. Recently Drupal development took one step further by replacing PHPTemplate with Twig, the latter being more secure and powerful.   Twig & Drupal Development With Drupal 7, text previously submitted by the user needed the check_plain() function in order to prevent the ever-present vulnerability of cross site scripting or XSS. If a theme’s output wasn’t sanitized, it was a huge security risk. Autoescaping was recently accepted into Drupal 8 as well, which made Drupal development much safer. PHP functions are also removed from templates, in line with separation of concerns. Here is the new Drupal development mark-up: Old: <?php print render($content); ?>   New: {{ content }} The new syntax makes Drupal development faster and cleaner, a clear separation between presentation and logic with an added security boost. Twig offers many other benefits including that of inheritance – this has been called one of Twig’s biggest assets.   By integrating Drupal development with Twig, the need to copy and paste the parent theme template files into custom templates is eliminated. Twig limits the amount of template code and files you need to organize within your theme. {% extends "themes/sub_bartik/templates/node.html.twig" %} This is quite similar to PHP’s „include function” – it allows you to create hookable, dynamic templates. But there’s another feature which makes Twig great: Twig blocks Parent file: {# This empty block allows child templates to insert markup into this place in the header without re-writing the entire template. #} {% block header_fields %} {% endblock %} New file: {# Override the header_fields block to put field_image there because this site needs it there. #} {% block header_fields %} {{ content.field_image }} {% endblock %}   With the use of Twig and Twig blocks, Drupal development will become much easier – this also makes Drupal websites much safer and powerful. ... Read more
Adrian Ababei / Oct 23'2015
10 Ways Drupal 8 Will Be More Secure
Security is very hard to bolt on to any software or product after it has been built. Building it into the core of the code helps to avoid mistakes, and thus the upcoming release of Drupal 8 tries to build in more security by default, while still being usable for developers and site builders. This list of 10 security improvements is not exhaustive - some are just a line or two to handle an edge case, and there are others I may have overlooked. I've contributed to a number of these improvements, but they reflect overall the community consensus as well as reactions to problems that required security releases for Drupal core or contributed modules in the past. For each point I've tried to include a link or two, such as the Drupal core change record, a documentation page, or a presentation that provides more information. Some of these may also be possible to back-port to Drupal 7, to benefit you even sooner. A "7.x back-port" link indicates that. For context on why these 10 improvements are important, I looked at past security advisories (SAs) as well as considering the kind of questions we get here at Acquia from companies considering adopting Drupal. In terms of past SAs, cross-site scripting (XSS) is the most commonly found vulnerability in Drupal core and contributed modules and themes. 1. Twig templates used for html generation This is probably first on the list of anyone you ask about Drupal 8 security. This is also one of the most popular features with themers.

 One security gain from this is that it enforces much stricter separation of business logic and presentation – this makes it easier to validate 3rd party themes or delegate pure presentation work. You can't run SQL queries or access the Drupal API from Twig. 


 

In addition, Drupal 8 enables Twig auto-escaping, which means that any string that has not specifically flagged as safe will be escaped using the PHP function htmlspecialchars() (e.g. the same as Drupal 7 check_plain()). Auto-escaping of variables will prevent many XSS vulnerabilities that are accidentally introduced in custom site themes and custom and contributed modules. That fact is why I ranked this as number one. XSS is the most frequent security vulnerability found in Drupal code. We don't have a lot of hard data, but based on past site audits we generally assume that 90% of site-specific vulnerabilities are in the custom theme.
 2. Removed PHP input filter and the use of PHP as a configuration import format OK, maybe this should have been number one. Drupal 8 does not include the PHP input format in core. In addition to encouraging best practices (managing code in a revision control system like git), this means that Drupal no longer makes it trivial to escalate an administrator login to being able to execute arbitrary PHP code or shell commands on the server. 
 For Drupal 7, importing something like a View required importing executable PHP code, and for certain custom block visibility settings, etc. you would need to enter a PHP snippet. These uses of evaluated PHP (exposing possible code execution vulnerabilities) are all gone – see the next point about configuration management.
 Now that we have covered the top two, the rest of the 10 are in rather arbitrary order. 3. Site configuration exportable, manageable as code, and versionable The Configuration Management Initiative (CMI) transformed how Drupal 8 manages things that would have been represented in Drupal 7 as PHP code. Things like Drupal variables or ctools exportables (e.g. exported Views).

 CMI uses YAML as the export and import format and the YAML files can be managed together with your code and checked into a revision control system (like git). 
 Why is this a security enhancement? Well, in addition to removing the use of PHP code as an import format (and hence possible code execution vulnerability), tracking configuration in code makes it much easier to have an auditable history of configuration changes. This will make Drupal more appealing and suitable for enterprises that need strict controls on configuration changes in place. In addition, configuration can be fully tested in development and then exactly replicated to production at the same time as any corresponding code changes (avoiding mistakes during manual configuration).
 Finally, it is possible to completely block configuration changes in production to force deployment of changes as code.
 4. User content entry and filtering improved While the integration of a WYSIWYG editor with Drupal core is a big usability improvement, extra care was taken that to mitigate poor practices that adding a WYSIWYG editor encouraged in past Drupal versions. In particular, users with access to the editor were often granted access to the full html text format, which effectively allowed them to execute XSS attacks on any other site user.

 To encourage the best practice of only allowing the use of the filtered HTML format, the Drupal 8 WYSIWYG editor configuration is integrated with the corresponding text filter. When a button is added to the active configuration, the corresponding HTML tag is added to the allowed list for the text filter.
 Drag a new button from the available to enabled section in the editor configuration: WYSIWYG editor configuration adding underline button The corresponding HTML tag (the U tag) is added to the allowed list: U tag is allowed in the filter An additional security improvement is that the core text filtering supports limiting users to using only images local to the site which helps prevent cross-site request forgery (CSRF) and other attacks or abuses using images. 5. Hardened user session and session ID handling There are three distinct improvements to session and session cookie handling. First, the security of session IDs has been greatly improved against exposure via database backups or SQL injection (7.x back-port ). Previously in Drupal, the session ID is stored and checked directly against the incoming session cookie from the browser. The risk from this is that the value from the database can be used to populate the cookie in the browser and thus assume the session and identity of any user who has a valid session in the database. In Drupal 8, the ID is hashed before storage, which prevents the database value from being used to assume a user's session, but the incoming value from the value is simply hashed in order to verify the value.
 Next, mixed-mode SSL session support was added to core to support sites that, for example, used contributed modules to serve the login page over SSL while other pages unencrypted. You will have to replace the session handling service if you really need this. This encourages serving your entire site over SSL (which is also a search engine ranking boost).

 The final change is that the leading “www.” is no longer stripped from the session cookie domain since that causes the session cookie to be sent to all subdomains (7.x back-port). 6. Automated CSRF token protection in route definitions Links (GET requests) that cause some destructive action or configuration change need to be protected from CSRF, usually with a user-specific token in the query string that is checked before carrying out the action. 

This change improves the developer experience and security by automating a process frequently forgotten or done incorrectly in contributed modules. In addition, centralizing the code makes it easier to audit and provide test coverage. Drupal 8 makes it easy. A developer merely needs to specify that a route (a system path in Drupal 7 terms) require a CSRF token. Here is an example of the YAML route definition for a protected link in Drupal 8 entity. entity.shortcut.link_delete_inline: path: '/admin/config/user-interface/shortcut/link/{shortcut}/delete-inline' defaults: _controller: 'Drupal\shortcut\Controller\ShortcutController::deleteShortcutLinkInline' requirements: _entity_access: 'shortcut.delete' _csrf_token: 'TRUE' Only the one line in the requirements: section needs to be added to protect shortcut deletion from CSRF. 7. Trusted host patterns enforced for requests Many Drupal sites will respond to a page request using an arbitrary host header sent to the correct IP address. This can lead to cache poisoning, bogus site emails, bogus password recovery links, and other problems with security implications. For earlier versions of Drupal, it can be a challenge to correctly configure the webserver for a single site that uses sites/default as its site directory to prevent these host header spoofing attacks. Drupal 8 ships with a simple facility to configure expected host patterns in settings.php and warns you in the site status report if it's not configured. 8. PDO MySQL limited to executing single statements If available, Drupal 8 will set a flag that limits PHP to sending only a single SQL statement at a time when using MySQL. This change would have reduced the severity of SA-CORE-2014-005 (a SQL injection vulnerability that was easily exploited by anonymous users) (7.x back-port)
. Getting this change into Drupal 8 meant I first had to contribute a small upstream change to the PHP language itself, and to the PDO MySQL library that is available in PHP versions 5.5.21 or 5.6.5 and greater. There is also a patch in progress to try to enforce this protection regardless of which specific database driver is being used. 9. Clickjacking protection enabled by default A small change, but Drupal 8 sends the X-Frame-Options: SAMEORIGIN header in all responses by default. This header is respected by most browsers and prevents the site from being served inside an iframe on another domain. This blocks so-called click-jacking attacks (e.g. forms or links on the site being presented in a disguised fashion on an attacker's site inside an iframe), as well as blocking the unauthorized re-use of site content via iframes. (7.x back-port). 10. Core JavaScript API Compatible with CSP Support for inline JavaScript was removed from the #attached property in the Drupal render API. In addition, the Drupal javascript settings variables are now added to the page as JSON data and loaded into a variable instead of being rendered as inline JavaScript. This was the last use of inline JavaScript by Drupal 8 core, and means that site builders can much more easily enable a strict content security policy (CSP) – a new web standard for communicating per-site restrictions to browsers and mitigating XSS and other vulnerabilities. A final note of caution: The substantial code reorganization and refactoring in Drupal 8 as well as the dependence on third party PHP components does present a certain added risk. The code reorganization may have introduced bugs that were missed by the existing core tests. The third party components themselves may have security vulnerabilities that affect Drupal, and at the very least, we need to track and stay up to date with them and fix our integration for any corresponding API changes. In order to try to mitigate the risk, the Drupal Association has been conducting the first Drupal security bug bounty that has been run for any version of Drupal core. This has uncovered several security bugs and means they will be fixed before Drupal 8 is released. - Source: https://goo.gl/i2CCxj ... Read more
Adrian Ababei / Oct 23'2015
Blog Placeholder
At OPTASY we’re big fans of Drupal. While we remain a technology agnostic firm and believe in matching organization needs with the best technology available, we believe Drupal is an excellent platform that addresses a wide range of web requirements. Now, with the recent beta version release of Drupal 8, the future of Drupal is incredibly bright. Drupal 8, which is currently in beta mode and slated for full production release sometime in 2015, represents a large-scale reimagining of the core Drupal application. The result of this grand effort is a much more cohesive, flexible and integrated platform on which to build websites of the future. Some folks have come to us and are already considering the move to Drupal 8 and are interested in becoming early adopters. However, before we get into specifics about Drupal 8, we want to highlight two key reasons we will likely continue to build on Drupal 7 for all of 2015 and into 2016: The true power of Drupal lies in the community modules that are available, and it will be at least 3-6 months until a critical mass have been upgraded and are production ready for Drupal 8. This timeline starts once Drupal 8 is released into production. In community development right now are a set of migration tools that should significantly ease the process of migrating from Drupal 7 to 8 at the appropriate time. This significantly reduces the reason to build on Drupal 8 out of the gate, and the majority of sites to start using 8 are likely to have been migrated from 7. We would not support Drupal 7 if it was not a best-in-class application. That said, in building websites on 7, we have spent much time over the years on activities such as turning off unneeded features, applying a group of our favorite modules to streamline and improve the admin interface, and tieing in an array of symbiotic third-party tools for caching and performance. While this knowledge is great for an agency that works with Drupal constantly, it can be harder for non-expert Drupal users to get up to speed. The inclusion of many strategies we use for Drupal 7 natively into Drupal 8 will be great for getting sites up to speed quickly. We have also written about some of our other Drupal implementation best practices which may be interesting to those looking for a more technical experience with Drupal. Drupal 8 Features We Love 1. Manage your site's content...from your phone. Anyone that’s ever administered a website knows that it’s best done while using a desktop or laptop. Much of the backend functionality simply doesn’t work, or doesn’t support mobile platforms. Enter Drupal 8, which is being built from the ground up with a focus on multi-device support. The core themes available for Drupal 8 will utilize responsive design, on both the front and back-end. Not only will visitors to your site have an optimized viewing experience for every device, your administrators will be able to manage the site from mobile devices as well. 2. Add new features to your live site with ease. Prior versions of Drupal store virtually all configuration settings in the Drupal database, alongside all site content (such as pages, menus, blocks, metadata and users). This approach greatly complicates deploying your updated site (e.g. code with new features) to your live site, as you can’t simply overwrite the live database without erasing your latest content and user activity in the process. In Drupal 7 we use the Features and Strongarm modules to build exportable packages of settings, Drupal 8 now stores these settings in files found in your library directory. This greatly simplifies deploying configuration changes such as new content types, fields or views from development to production. 3. Improved performance capabilities through modernization. As part of the overall transition to the Symfony framework, Drupal 8 offers an alternative to the unique "hook" system for attaching modules to Drupal core. Through the Symfony Event Dispatcher, application components can communicate with one another, allowing the system as a whole to run much more intelligently. What this means for the end user is that unlike the default with prior versions of Drupal, the system does not need to load every enabled module with each page request. And as many core Drupal hooks have been replaced, Drupal as an application is well on its way to potentially replacing hooks altogether in Drupal 9. 4. Integration capabilities significantly improved. Already one of the most flexible platforms when it comes to integrating with third-party applications, Drupal 8 takes the possibilities to an entirely different level. Using the new Rest & Serialization APIs, site builders will be able to output serialized data as JSON and XML from Drupal, almost as easily as they can normal HTML output. 5.  Take your website around the world. Drupal 7 supports multi-lingual functionality, but not at the level that Drupal 8 will. Imagine translating your site’s content to any one of the 110 different supported languages with a few clicks. You’ll be able to not only translate a page’s content for a specific language, but also build views and determine what blocks should appear for that language. Translation updates will also be pushed to the site automatically to make sure your site has the latest dictionary. Why We Love Drupal in General   1. Site management made easy with Drupal content types. One of the keys to getting the most benefit from a CMS lies in the separation of content from design and layout.  The greater extent to which you can isolate these two site components, the more your graphic designers and content authors/editors can be freed to do their jobs without interference from one another.  Drupal bakes this concept into its very core by making it quite easy to create numerous individual content types, each with its own collection of fields and possible field types.  Gone are the days where authors are presented a blank slate for each page via a single rich text area. With Drupal, your designers can easily ensure these fields get styled correctly and displayed in the right orientation, while authors are presented with simple fields to fill out and edit. 2. Scalability and flexibility galore. Drupal is one of the most flexible platforms on the market right now and allows virtually unlimited customization in the front-end, backend, and everything in-between. The key lies in the thousands of excellent off-the-shelf modules available at drupal.org. While some may require customization, they can be added on to core Drupal with relative ease. This ensures your site can grow and change as your organization does the same. 3. System administrator automation via Drush. Freely available for download and immediate use on all Drupal sites, Drush provides an awesome command-driven interface for managing Drupal.  Admin tasks that require many clicks and page refreshes are easily reduced to a single command. For example, we find Drush most useful in the creation of new user accounts (especially if you need to create many at once), generation of system backups, application of core and module updates, and migration of content from other systems. 4. Robust security and overall support options. Software companies typically have dozens, or at most hundreds of developers working on support, bug fixes, new features, integrations. The Drupal community comprises over 180,000 active contributors. This facilitates rapid advancement for Drupal and establishes a very large population of modules and integrations. ... Read more
Adrian Ababei / Feb 24'2015